Security features in Outlook Groups

Transport security

The Outlook Groups mobile app enforces secure communication protocol (HTTPS) for all communication channels over public networks. The Outlook Groups mobile app uses certificate pinning to establish trust. To further ensure data safety of all our users, we only support certificates signed by well-known Root Certification Authorities for communication between users and Office 365 services.

Data storage and security on the device

Outlook Groups mobile app uses the mobile operating system’s encryption and security features to lock the app data so it is completely segregated from other apps. Also, the Outlook Groups mobile app service doesn't store any email, files, calendar, or other group data. It only stores the user’s display name, email address, and encrypted user token, which is used for authentication and app notifications.

Authentication

Outlook Groups mobile app uses the Oauth protocol, which provides client applications a secure delegated access. It provides authorization to Office 365 email, files, and so on without sharing the user’s username and password.

Blocking Outlook Groups mobile app

Administrators can block Outlook Groups mobile app by using remote PowerShell to run one or both of the following cmdlets.

Enforcing device PIN lock for Groups

If your organization has set Exchange ActiveSync policies requiring users to set up a PIN before they can connect and sync to their mailboxes, and your users have already established a connection to their work or school email on their devices, then device-level PIN is likely already enforced by the device's main email client (e.g. iOS Mail app, or Outlook app). Also, most MDM solutions, such as the built-in Mobile Device Management (MDM) feature for Office 365, will let you set a PIN lock for your user’s work device.

Additionally, you can configure the Mobile Application Management (MAM) policy to require a PIN to access the app. See Configure and deploy mobile application management policies in the Microsoft Intune console for more information. These application management capabilities with Intune are available with or without Intune’s device management features. MAM without device enrollment can be particularly valuable if you're using other MDM solutions to manage the devices within your organization, or in scenarios where your IT department is not able to enroll the devices.